Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 15:36
Static task
static1
Behavioral task
behavioral1
Sample
799771ed49526278d6116d80ed800eae_JaffaCakes118.rtf
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
799771ed49526278d6116d80ed800eae_JaffaCakes118.rtf
Resource
win10v2004-20240426-en
General
-
Target
799771ed49526278d6116d80ed800eae_JaffaCakes118.rtf
-
Size
824KB
-
MD5
799771ed49526278d6116d80ed800eae
-
SHA1
c25fe6f2cd4e4bb23df3c70cff9966a4fdf02242
-
SHA256
592b3020e3d173ec6a83f9c082843097740cc293a786ed1e1e066cfff97dd82f
-
SHA512
fbef4ffe7fc1b41ffa816cd7a0c88f19bcd0037249a6fb5e87b3bcabef5a61601ad711911057ff804e4320435a45ceb5da0eed74fdf49561ae661b26527521fa
-
SSDEEP
12288:e+WhWEyIuvEpsdBOHkY2iBL1gda4mEqLLNrTtOpsdfU:eIRITpsdwHkibijqLhrTkpsd8
Malware Config
Extracted
formbook
3.8
ch36
hookbug.com
useicar.net
plentyofhosting.com
finalmary.win
pacwestcoastalproperties.com
prideharmonyfoundation.com
royaltakeout.com
lephare-shop.com
alphaomeganetworks.com
solistkonsilanlari.com
yj-info.net
badajozbeerlab.com
wwwjsvip9999.com
centraltexasrvpark.net
hosofb789.com
roademissions.com
toscanaristorazione.com
jrmsj.com
sweetsncandy.com
hzcrgg.com
sonerpar.com
xn--68s.com
tulacoin.com
fotoknihy.cloud
baguettebistro.net
miranet-technologies.com
bricksontour.com
gsbg.online
cameroonmarketing.com
simphiwe.com
shuangsim.com
qg0ficll0.biz
marcosnovaisedaniela.com
bleuproof.com
v64w3.info
eugeniaolenka.com
fi0rgl.info
chenyunchao.com
8o474.com
dijar.win
lorenzofernando.com
zebrita.com
techhomebuilding.net
thenexus.email
primavalve.com
legiondj.com
newbjlhuedu.com
wobblyfinancials.life
killignorancenotourkids.info
comoestouvencendoaobesidade.com
vendorscafe.com
manette-playstation.com
dtchun.com
lahdee.net
bestpetmed.com
miro.ltd
hierges.net
fairytalefitness.com
crb.company
mysignage.net
rockmakerscissors.info
apkspices.com
astronumerologyreading.com
mamstreet.com
empoweremyv.com
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2636 2588 cmd.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2776 2588 cmd.exe WINWORD.EXE -
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/904-45-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/904-49-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
exe.exeexe.exepid process 2044 exe.exe 904 exe.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeexe.exepid process 2704 cmd.exe 2704 cmd.exe 2044 exe.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
exe.exeexe.execscript.exedescription pid process target process PID 2044 set thread context of 904 2044 exe.exe exe.exe PID 904 set thread context of 1232 904 exe.exe Explorer.EXE PID 1720 set thread context of 1232 1720 cscript.exe Explorer.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2148 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2832 taskkill.exe -
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
Processes:
EQNEDT32.EXEEQNEDT32.EXEpid process 2672 EQNEDT32.EXE 2748 EQNEDT32.EXE -
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2588 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
exe.execscript.exepid process 904 exe.exe 904 exe.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe 1720 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
exe.execscript.exepid process 904 exe.exe 904 exe.exe 904 exe.exe 1720 cscript.exe 1720 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exeexe.execscript.exedescription pid process Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 904 exe.exe Token: SeDebugPrivilege 1720 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
exe.exepid process 2044 exe.exe 2044 exe.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
exe.exepid process 2044 exe.exe 2044 exe.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEexe.exepid process 2588 WINWORD.EXE 2588 WINWORD.EXE 2044 exe.exe 2588 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEcmd.execmd.exeEQNEDT32.EXEdescription pid process target process PID 2588 wrote to memory of 2636 2588 WINWORD.EXE cmd.exe PID 2588 wrote to memory of 2636 2588 WINWORD.EXE cmd.exe PID 2588 wrote to memory of 2636 2588 WINWORD.EXE cmd.exe PID 2588 wrote to memory of 2636 2588 WINWORD.EXE cmd.exe PID 2636 wrote to memory of 2704 2636 cmd.exe cmd.exe PID 2636 wrote to memory of 2704 2636 cmd.exe cmd.exe PID 2636 wrote to memory of 2704 2636 cmd.exe cmd.exe PID 2636 wrote to memory of 2704 2636 cmd.exe cmd.exe PID 2588 wrote to memory of 2776 2588 WINWORD.EXE cmd.exe PID 2588 wrote to memory of 2776 2588 WINWORD.EXE cmd.exe PID 2588 wrote to memory of 2776 2588 WINWORD.EXE cmd.exe PID 2588 wrote to memory of 2776 2588 WINWORD.EXE cmd.exe PID 2704 wrote to memory of 2148 2704 cmd.exe timeout.exe PID 2704 wrote to memory of 2148 2704 cmd.exe timeout.exe PID 2704 wrote to memory of 2148 2704 cmd.exe timeout.exe PID 2704 wrote to memory of 2148 2704 cmd.exe timeout.exe PID 2748 wrote to memory of 1252 2748 EQNEDT32.EXE CmD.exe PID 2748 wrote to memory of 1252 2748 EQNEDT32.EXE CmD.exe PID 2748 wrote to memory of 1252 2748 EQNEDT32.EXE CmD.exe PID 2748 wrote to memory of 1252 2748 EQNEDT32.EXE CmD.exe PID 2704 wrote to memory of 2044 2704 cmd.exe exe.exe PID 2704 wrote to memory of 2044 2704 cmd.exe exe.exe PID 2704 wrote to memory of 2044 2704 cmd.exe exe.exe PID 2704 wrote to memory of 2044 2704 cmd.exe exe.exe PID 2704 wrote to memory of 2832 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 2832 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 2832 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 2832 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 2564 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2564 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2564 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2564 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1668 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1668 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1668 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1668 2704 cmd.exe reg.exe PID 2704 wrote to memory of 3020 2704 cmd.exe reg.exe PID 2704 wrote to memory of 3020 2704 cmd.exe reg.exe PID 2704 wrote to memory of 3020 2704 cmd.exe reg.exe PID 2704 wrote to memory of 3020 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1684 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1684 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1684 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1684 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2160 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2160 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2160 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2160 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2240 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2240 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2240 2704 cmd.exe reg.exe PID 2704 wrote to memory of 2240 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1532 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1532 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1532 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1532 2704 cmd.exe reg.exe PID 2704 wrote to memory of 756 2704 cmd.exe reg.exe PID 2704 wrote to memory of 756 2704 cmd.exe reg.exe PID 2704 wrote to memory of 756 2704 cmd.exe reg.exe PID 2704 wrote to memory of 756 2704 cmd.exe reg.exe PID 2704 wrote to memory of 1072 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 1072 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 1072 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 1072 2704 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\799771ed49526278d6116d80ed800eae_JaffaCakes118.rtf"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT 15⤵
- Delays execution with timeout.exe
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\ExE.ExE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\ExE.ExE6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM winword.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f5⤵PID:2564
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f5⤵PID:1668
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f5⤵PID:3020
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f5⤵PID:1684
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f5⤵PID:2160
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f5⤵PID:2240
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f5⤵PID:1532
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f5⤵PID:756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"5⤵PID:1072
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"6⤵PID:1192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"5⤵PID:1340
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"6⤵PID:608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"5⤵PID:1064
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"6⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵PID:1812
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵PID:1120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵PID:1920
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵PID:1796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵PID:1912
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵PID:3000
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵PID:2808
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵PID:2756
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
PID:2776 -
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:468
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"3⤵PID:1516
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\CmD.exeCmD /C %tmp%\task.bat & UUUUUUUUc2⤵PID:1252
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2nd.batFilesize
2KB
MD5042a85703b16f6204b77947e223ca8d8
SHA1748c78444785ba150c7b59f69d83fbea02d3ac08
SHA256b2142ce20a5abca30228f0e4c9cf5d37b5e63bc172e0212c0cb36c97dfe65bd4
SHA512670e5e33cd8180c28e9927e90ff0ed1bb642bda9b59b6c589d444f22b1ee8a64052d43f2fbe224e5ef24bf5d75aa276291fb0ba3d6bd96657926372fc5ae9bc2
-
C:\Users\Admin\AppData\Local\Temp\exe.exeFilesize
336KB
MD5668eb6d8d8cba4d2ba26eeb6901ac0c9
SHA1a102977cdcc9dd511ecf1353479fedbfd6c4f611
SHA256afa7ae184febb37001415917d853b9d74c86378912093985a34724db92ee7d51
SHA512676ca803cc3911a264391d96d5ab578e0c56b7849851b8dc53c2aafd9570225f05ead349bc0f21bd92857d7503c03906e85e8901372dc62cf5e385ee046e18b7
-
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sctFilesize
432B
MD58decdcaeb92d9f628b6bf95de4c0597a
SHA119443ad64921ef01a77619350efcc97cd767a36b
SHA256e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e
SHA512d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59
-
C:\Users\Admin\AppData\Local\Temp\task.batFilesize
149B
MD5c42b20e49a3b093e2d0c9d6b3051cfc7
SHA15fc1f968c7285c8b0c5f25e839e14d77df7e28f3
SHA25683935da79d6a4dcfd28121b5c0dd01b40e66da125971ac49e65221efb91a65a6
SHA51201881572adbe471797fd901057fabb1d631fc675dacd33c59876b9bb163deb1b9f8f82ed49c8a19bf69d871abe8e241beba8dcddc84ca4caf13ee4d4be9ac1fe
-
memory/904-45-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/904-49-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1232-48-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/1232-54-0x0000000004C20000-0x0000000004CE6000-memory.dmpFilesize
792KB
-
memory/1720-51-0x0000000000750000-0x0000000000772000-memory.dmpFilesize
136KB
-
memory/2588-0-0x000000002F701000-0x000000002F702000-memory.dmpFilesize
4KB
-
memory/2588-2-0x000000007155D000-0x0000000071568000-memory.dmpFilesize
44KB
-
memory/2588-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2588-42-0x000000007155D000-0x0000000071568000-memory.dmpFilesize
44KB